IBM Cognos Business Intelligence (BI) is installed as a part of an IBM Connections Metrics 4.0 deployment. This article explains how to set up an ODBC connection to an SQL Server from Cognos BI on LinuxAIX and then configure an ODBC connection to SQL Server in Cognos Administration for ...

Metrics is a new component in IBM Connections 4.0 supported by IBM Cognos® Business Intelligence, which is installed as a part of a Connections deployment. So if you want to configure IBM Connections to use Secure Sockets Layer (SSL), you must deal with the Cognos part as well. This article ...

Moderation is a component in IBM® Connections 4.0 that allows moderators and Community owners to better control what is displayed in certain applications. Moderators can review Blogs, Forums, and Files content before it is posted to Connections, and manage content after it is added to IBM ...

Metrics is a new component in IBM Connections 4.0 supported by IBM Cognos® Business Intelligence, which is installed as a part of a Connections deployment. So if you want to configure IBM Connections to use Secure Sockets Layer (SSL), you must deal with the Cognos part as well. This article explains how to configure SSL for a Connections server with Metrics installed, focusing on the SSL configuration for Cognos.

Introduction

The Metrics application is one of the new components in IBM® Connections 4.0, providing clear business value to users, executives, and administrators by use of simple charts. Metrics is supported by IBM Cognos® Business Intelligence, which is installed as a part of a Connections deployment. So if you want to configure your Connections to use Secure Sockets Layer (SSL), you must deal with the Cognos part as well.

This article shows you how to configure SSL for a Connections server with Metrics installed, focusing on the SSL configuration for Cognos. In general, the process consists of configuring:

Configuring LDAPS (LDAP via SSL) for Cognos

When configuring IBM Cognos to communicate with an LDAP server by LDAP via SSL (LDAPS) you must provide an SSL Certificate Database. This section describes how to get an SSL Certificate Database and then configure SSL in Cognos.

Obtain the Network Security Services (NSS) toolkit

First, we need to download the most recent version ofNSS from the Mozilla Web site. Unfortunately Mozilla no longer provides binary releases, but we can use one of the most recent binaries that is known to work well (NSS 3.12.4).

Select the sub-folder representing your Operating System (msvc9 is suitable for all Microsoft® Windows® versions), choose the "OPT.OBJ" folder, and download the ZIP file.

NSS is used to generate the certificate database that is used by Cognos later. The server locating NSS need not to be the same OS as that of the Cognos server. For example, you can install NSS on a Windows machine, generate the database using it, and then copy the generated certificate database to the Cognos server on Linux or Windows OS.

Here, we use a Windows machine to install NSS, downloading the Windows version of NSS 3.12.4 from the following site:

Install the certutil tool

Add the NSPR libs to the environment so that certutil can pick them up by adding NSPR-<version>/lib to the library path for your system. For example, on Windows, it's SET PATH=%PATH%;<NSPR_PATH>/lib.

Create the keystore

Cognos Business Intelligence can establish trust with a presented server certificate for LDAPS connection based on either the server certificate imported as a valid signer certificate or on the root CA certificate that signed the server certificate.

If you choose to proceed with the server certificate, it is sufficient to import only the server certificate; you don't necessarily need to import the CA certificate as well. Here we show how to import the server certificate on a Windows machine. If you want to import the CA certificate, refer to the Cognos Support Technote #1344083, “Configuring LDAPS (LDAP via SSL) for CRN/Cognos 8.”

Acquire the certificate(s) to use in Base-64 encoded X.509 (PEM) format. The most straightforward approach is to ask the LDAP server administrator for the certificate. If you cannot get it by this way, you can use WAS to generate the certificate file instead:

a) Follow Steps 1--5 in Section 2, “Configuring LDAP SSL certificate in WAS Administrative Console” till you get to the Signer certificate window (see figure 5).
b) Select the check box of the certificate created in the last section (that is, idsldap), and click the Extract button.

Figure 5. Signer certificate window

c) Enter the absolute file path with file name in the File name field, in this case, idsldap.cer (both “cer” and “cert” suffix are OK), as shown in figure 6.
d) Select Base64-encoded ASCII for the Data data, and click OK to extract the file.

Figure 6. Extract signer certificate window

e) You will find there's one “idsldap.cer” file under D:\ on the WAS machine. Copy the “idsldap.cer” certificate to the machine on which NSS is installed.

2. Create a directory to hold the certificate database that will be created in the next steps, for example "mykeys" (d:\mykeys).

Provide the absolute path to the folder that holds the cert7.db/cert8.db files (the folder just copied from Step 1), for the SSL Certificate Database property in Cognos Configuration as shown in figure 8.

Select File --- Save.

Figure 8. IBMConnections Namespace

4. Verify the LDAP SSL connection by right-clicking on the IBMConnections LDAP namespace and selecting Test. If the SSL connection can be established successfully, the test will succeed.

5. Exit the Cognos Configuration tool, making sure to select No at the following prompt: “The service 'IBM Cognos' is not running on the local computer. Before you can use it your computer must start the service. Do you want to start this service before exiting?

6. Save configuration and restart the Cognos server:

a. Stop the WAS server that hosts the Cognos server.
b. Wait at least 1 full minute to ensure that all Cognos processes have stopped:

Configuring HTTP for SSL (if HTTP server is deployed)

If your server is configured with HTTP server, refer to the Product Documentation topic, “Configuring IBM HTTP Server for SSL,” for details on how to do this.

Conclusion

This article has explained the step-by-step instructions for configuring Secure Sockets Layer (SSL) for the Connections Metrics application. You should now know how to configure SSL in a Connections server and a Cognos server to secure Metrics.

About the author

Rong Rong Wang is a Staff Software Engineer based at IBM's Beijing, China, Lab. She currently works as the Team Lead for the Functional Verification Test team for the Connections Moderation feature and also works on testing Metrics in IBM Connections. She can be contacted at rrwang@cn.ibm.com.